Details of VAR-202404-1932

ID

VAR-202404-1932

CVE

CVE-2024-32292

TITLE

Shenzhen Tenda Technology Co.,Ltd. of w30e Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-020573

DESCRIPTION

Tenda W30E v1.0 V1.0.1.25(633) firmware contains a command injection vulnerablility in the formexeCommand function via the cmdinput parameter. Shenzhen Tenda Technology Co.,Ltd. (DoS) It may be in a state. The Tenda W30E is an enterprise-grade wireless router designed for SOHO, small and micro-enterprise offices, and small shops, supporting Wi-Fi 6 technology. The Tenda W30E suffers from a command injection vulnerability caused by the cmdinput parameter of the formexeCommand method failing to properly filter special characters and commands when constructing commands. An attacker could exploit this vulnerability to execute arbitrary commands

Trust: 2.16

sources: NVD: CVE-2024-32292 // JVNDB: JVNDB-2024-020573 // CNVD: CNVD-2025-18171

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-18171

AFFECTED PRODUCTS

vendor:	tenda	model:	w30e	scope:	eq	version:	1.0.1.25\(633\)	Trust: 1.0
vendor:	tenda	model:	w30e	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	-	version:	-	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	eq	version:	w30e firmware 1.0.1.25(633)	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	eq	version:	1.0.1.25(633)	Trust: 0.6
vendor:	tenda	model:	w30e	scope:	eq	version:	1.0	Trust: 0.6

sources: CNVD: CNVD-2025-18171 // JVNDB: JVNDB-2024-020573 // NVD: CVE-2024-32292

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32292
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-020573
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-18171
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-18171
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32292
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-020573
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-18171 // JVNDB: JVNDB-2024-020573 // NVD: CVE-2024-32292

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-020573 // NVD: CVE-2024-32292

PATCH

title:

Patch for Tenda W30E Command Injection Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/718031

Trust: 0.6

sources: CNVD: CNVD-2025-18171

EXTERNAL IDS

db:	NVD	id:	CVE-2024-32292	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-020573	Trust: 0.8
db:	CNVD	id:	CNVD-2025-18171	Trust: 0.6

sources: CNVD: CNVD-2025-18171 // JVNDB: JVNDB-2024-020573 // NVD: CVE-2024-32292

REFERENCES

url:	https://github.com/abcdefg-png/iot-vulnerable/blob/main/tenda/w30e/formexecommand_cmdi.md	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2024-32292	Trust: 0.8

sources: CNVD: CNVD-2025-18171 // JVNDB: JVNDB-2024-020573 // NVD: CVE-2024-32292

SOURCES

db:	CNVD	id:	CNVD-2025-18171
db:	JVNDB	id:	JVNDB-2024-020573
db:	NVD	id:	CVE-2024-32292

LAST UPDATE DATE

2025-08-15T05:46:05.567000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-18171	date:	2025-08-12T00:00:00
db:	JVNDB	id:	JVNDB-2024-020573	date:	2025-03-19T01:23:00
db:	NVD	id:	CVE-2024-32292	date:	2025-03-17T16:00:28.613

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-18171	date:	2025-08-12T00:00:00
db:	JVNDB	id:	JVNDB-2024-020573	date:	2025-03-19T00:00:00
db:	NVD	id:	CVE-2024-32292	date:	2024-04-17T14:15:09.063